LUKS encryption

Set up new encrypted volume

Format

cryptsetup luksFormat --type luks2 /dev/<dev>
cryptsetup luksDump /dev/<dev>

Note the UUID.

Open

cryptsetup luksOpen --allow-discards /dev/<dev> <name>

Creates new device /dev/mapper/<name>.

Format

mkfs.btrfs /dev/mapper/<name>

Note UUID.

Boot from unencrypted boot partition into encrypted root

In /etc/default/grub:

GRUB_CMDLINE_LINUX_DEFAULT="bgrt_disable loglevel=4 rd.luks.uuid=<LUKS UUID> rd.luks.allow-discards"